Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method of providing for flow-based policies within a network, the method comprising: for each of a plurality of packets addressed according to a first network layer communication protocol for transmission between a client application and a server application, appending, to the packet, a source address of the packet formatted according to a second network layer communication protocol and a forwarding label derived from at least a portion of the source address, wherein the source address includes packet-source authentication information that is used to determine whether or not said packet was corrupted or tampered with during the transmission of the packet between the client application and the server application, wherein the packet-source authentication information is a first hash of a unique identifier (UID) and/or a group identifier (GID) of a process at an originating host that is initiating a transaction, a universally unique identifier (UUID) of the originating host, and a network interface address of the originating host, wherein the source address further includes a prefix field that stores an address of an interface of an intended receiving endpoint, and wherein the source address further includes an interface identity field that stores the network interface address of the originating host; and conveying said packets within a network according to the forwarding labels, wherein said network comprises a plurality of communicably coupled nodes between the client application and the server application, and at one or more of said plurality of nodes of the network, applying one or more prescribed policies to said packets, said policies being prescribed on a basis of information included within the respective source addresses.
Network security and traffic management. This invention addresses the need to implement flow-based policies in a network by enhancing packet structure to carry policy-relevant information. The method involves modifying packets transmitted between client and server applications. For each packet, a source address formatted according to a second network protocol is appended. This source address includes a forwarding label derived from at least a portion of the source address itself. Crucially, the source address contains packet-source authentication information. This information is a hash of a process identifier (UID and/or GID) at the originating host, the originating host's universally unique identifier (UUID), and the originating host's network interface address. This authentication information is used to detect packet corruption or tampering during transmission. The source address also includes a prefix field indicating the intended receiving endpoint's interface address and an interface identity field storing the originating host's network interface address. These modified packets are then transmitted through a network of interconnected nodes. At one or more of these nodes, policies are applied to the packets. These policies are determined based on information contained within the appended source addresses, enabling flow-based policy enforcement.
2. The method of claim 1 , wherein the source address has a format of an Internet protocol version 6 (IPv6) address.
A method for processing network communications involves handling data packets with source addresses formatted as Internet Protocol version 6 (IPv6) addresses. The method includes receiving a data packet from a network interface, extracting the source address from the packet header, and validating the address format to ensure it conforms to IPv6 standards. The validation process checks for the presence of eight groups of four hexadecimal digits, separated by colons, and ensures the address does not contain invalid characters or structures. If the address is valid, the packet is forwarded to its destination; if invalid, the packet is discarded or an error message is generated. The method may also include logging the validation results for network monitoring and security analysis. This approach ensures proper handling of IPv6 addresses in network communications, preventing errors and enhancing network reliability. The method is applicable in routers, switches, and other network devices that process IPv6 traffic.
3. The method of claim 2 , wherein the forwarding label is a multiprotocol label switching (MPLS) label.
A system and method for network packet forwarding involves assigning a forwarding label to a packet to determine its path through a network. The forwarding label is used to route the packet along a predefined path, ensuring efficient and reliable delivery. In one implementation, the forwarding label is a Multiprotocol Label Switching (MPLS) label, which is a standardized label used in MPLS networks to direct packets along label-switched paths (LSPs). The MPLS label includes information such as the label value, traffic class, and time-to-live (TTL) fields, allowing routers and switches to forward packets without deep packet inspection. This approach improves network performance by reducing processing overhead and enabling faster packet forwarding. The method may also include additional steps such as label assignment, label swapping, and label removal to ensure proper packet routing. The use of MPLS labels supports traffic engineering, quality of service (QoS), and virtual private network (VPN) services, making it suitable for large-scale and complex network environments. The system may be integrated into network devices such as routers and switches to facilitate seamless packet forwarding.
4. The method of claim 3 , wherein, for each of the packets, the source address is received from a policy engine remote from a computer-based platform at which the source address is appended to the packet.
The invention relates to network packet processing, specifically to systems where source addresses are dynamically assigned to packets based on policy decisions. The problem addressed is the need for flexible and centralized control over packet source addressing in network communications, particularly in environments where packets may need to be routed or processed differently based on their origin. The method involves receiving network packets at a computer-based platform, where each packet is processed to append a source address. The source address is not locally determined but instead is provided by a remote policy engine. This policy engine evaluates certain criteria (e.g., packet content, network conditions, or security policies) and dynamically assigns the appropriate source address for each packet. The platform then appends this assigned address to the packet before further transmission or processing. This approach allows for centralized management of source addressing, enabling dynamic routing, load balancing, or security enforcement based on real-time policy decisions. The remote policy engine can be updated or reconfigured without modifying the platform, providing scalability and adaptability in network operations. The method ensures that packets are tagged with the correct source address according to predefined or dynamically adjusted rules, improving network efficiency and security.
5. The method of claim 4 , further comprising, for each of the packets, maintaining, by the policy engine, an association between the forwarding label and the source address.
The invention relates to network packet processing and routing, specifically addressing the challenge of maintaining consistent forwarding policies for packets originating from the same source address. It involves a policy engine that assigns forwarding labels to packets based on predefined routing rules. For each packet processed, the policy engine not only applies the appropriate forwarding label but also establishes and retains a persistent association between that label and the packet's source address. This ensures that subsequent packets from the same source are consistently routed according to the same policy, improving network efficiency and reducing the need for repeated policy evaluations. The association is maintained dynamically, allowing the system to adapt to changes in network conditions or routing policies while preserving the integrity of the forwarding decisions for ongoing traffic flows.
6. The method of claim 1 , further comprising, for at least one of the packets and at any of the nodes of the network, extracting identification information and the packet-source authentication information of the packet, forwarding the identification information and the packet-source authentication information of the packet to a policy engine, and receiving, from the policy engine, an indication concerning an authenticity of the packet.
A method for verifying the authenticity of packets in a network, addressing the problem of ensuring data integrity and preventing unauthorized or malicious transmissions. The invention involves processing packets at any node within the network by extracting identification information and packet-source authentication details from the packet. These extracted details are then forwarded to a policy engine, which evaluates the authenticity of the packet based on predefined criteria or rules. The policy engine subsequently provides an indication regarding the packet's authenticity, allowing the node to determine whether to accept, reject, or further process the packet. This approach enhances network security by dynamically assessing packet legitimacy at intermediate or endpoint nodes, reducing the risk of unauthorized access or data tampering. The method operates independently of packet type or network topology, making it adaptable to various communication protocols and network configurations.
7. The method of claim 6 , further comprising generating, by the policy engine, the indication concerning the authenticity of the packet according to whether or not a second hash of the identification information corresponds to the packet-source authentication information.
This invention relates to network security, specifically verifying the authenticity of data packets in a communication system. The problem addressed is ensuring that packets received over a network are genuine and have not been tampered with, which is critical for maintaining secure communications. The method involves a policy engine that evaluates the authenticity of a packet by comparing a second hash of identification information embedded in the packet with pre-existing packet-source authentication information. If the second hash matches the authentication information, the packet is deemed authentic. This process builds upon a prior step where the policy engine generates an initial indication of authenticity based on a first hash of the packet's content and a digital signature associated with the packet's source. The system ensures that both the packet's content and its origin are verified through cryptographic hashing and signature checks. The second hash of the identification information provides an additional layer of validation, confirming that the packet's metadata has not been altered. This dual-verification approach enhances security by reducing the risk of spoofing or tampering attacks. The method is particularly useful in environments where packet integrity and source authenticity are critical, such as financial transactions, military communications, or enterprise networks.
Unknown
December 29, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.